lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADBMgpx9hwHaWe=m2kQhKOJFWnLSejoWa6wz1VECEkLhWq4qog@mail.gmail.com>
Date:   Fri, 17 Jun 2022 15:05:30 -0700
From:   Dylan Hatch <dylanbhatch@...gle.com>
To:     Shuah Khan <skhan@...uxfoundation.org>
Cc:     Shuah Khan <shuah@...nel.org>, linux-kernel@...r.kernel.org,
        linux-fsdevel@...r.kernel.org, linux-kselftest@...r.kernel.org
Subject: Re: [PATCH] selftests/proc: Fix proc-pid-vm for vsyscall=xonly.

On Fri, Jun 17, 2022 at 12:38 PM Shuah Khan <skhan@...uxfoundation.org> wrote:
>
> On 6/17/22 12:45 PM, Dylan Hatch wrote:
> > On Thu, Jun 16, 2022 at 4:01 PM Shuah Khan <skhan@...uxfoundation.org> wrote:
> >>
> >> On 6/16/22 3:10 PM, Dylan Hatch wrote:
> >>> This test would erroneously fail the /proc/$PID/maps case if
> >>> vsyscall=xonly since the existing probe of the vsyscall page only
> >>> succeeds if the process has read permissions. Fix this by checking for
> >>> either no vsyscall mapping OR an execute-only vsyscall mapping in the
> >>> case were probing the vsyscall page segfaults.
> >>>
> >>
> >> Does this fix include skipping the test with a clear message that
> >> says why test is skipped?
> >>
> >>> Signed-off-by: Dylan Hatch <dylanbhatch@...gle.com>
> >>> ---
> >>>    tools/testing/selftests/proc/proc-pid-vm.c | 20 +++++++++++++++-----
> >>>    1 file changed, 15 insertions(+), 5 deletions(-)
> >>>
> >>> diff --git a/tools/testing/selftests/proc/proc-pid-vm.c b/tools/testing/selftests/proc/proc-pid-vm.c
> >>> index 28604c9f805c..5ca85520131f 100644
> >>> --- a/tools/testing/selftests/proc/proc-pid-vm.c
> >>> +++ b/tools/testing/selftests/proc/proc-pid-vm.c
> >>> @@ -213,9 +213,12 @@ static int make_exe(const uint8_t *payload, size_t len)
> >>>
> >>>    static bool g_vsyscall = false;
> >>>
> >>> -static const char str_vsyscall[] =
> >>> +static const char str_vsyscall_rx[] =
> >>>    "ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0                  [vsyscall]\n";
> >>>
> >>> +static const char str_vsyscall_x[] =
> >>> +"ffffffffff600000-ffffffffff601000 --xp 00000000 00:00 0                  [vsyscall]\n";
> >>> +
> >>>    #ifdef __x86_64__
> >>>    static void sigaction_SIGSEGV(int _, siginfo_t *__, void *___)
> >>>    {
> >>> @@ -261,6 +264,7 @@ int main(void)
> >>>        int exec_fd;
> >>>
> >>>        vsyscall();
> >>> +     const char *str_vsyscall = g_vsyscall ? str_vsyscall_rx : str_vsyscall_x;
> >>>
> >>>        atexit(ate);
> >>>
> >>> @@ -314,7 +318,8 @@ int main(void)
> >>>
> >>>        /* Test /proc/$PID/maps */
> >>>        {
> >>> -             const size_t len = strlen(buf0) + (g_vsyscall ? strlen(str_vsyscall) : 0);
> >>> +             const size_t len_buf0 = strlen(buf0);
> >>> +             const size_t len_vsys = strlen(str_vsyscall);
> >>>                char buf[256];
> >>>                ssize_t rv;
> >>>                int fd;
> >>> @@ -325,11 +330,16 @@ int main(void)
> >>>                        return 1;
> >>>                }
> >>>                rv = read(fd, buf, sizeof(buf));
> >>> -             assert(rv == len);
> >>> -             assert(memcmp(buf, buf0, strlen(buf0)) == 0);
> >>>                if (g_vsyscall) {
> >>> -                     assert(memcmp(buf + strlen(buf0), str_vsyscall, strlen(str_vsyscall)) == 0);
> >>> +                     assert(rv == len_buf0 + len_vsys);
> >>> +             } else {
> >>> +                     /* If vsyscall isn't readable, it's either x-only or not mapped at all */
> >>> +                     assert(rv == len_buf0 + len_vsys || rv == len_buf0);
> >>>                }
> >>> +             assert(memcmp(buf, buf0, len_buf0) == 0);
> >>> +             /* Check for vsyscall mapping if buf is long enough */
> >>> +             if (rv == len_buf0 + len_vsys)
> >>> +                     assert(memcmp(buf + len_buf0, str_vsyscall, len_vsys) == 0);
> >>>        }
> >>>
> >>>        /* Test /proc/$PID/smaps */
> >>>
> >>
> >> The change looks good to me. Doesn't look like it skips the test though?
> >
> > Instead of skipping the test, it changes the passing condition to
> > accept both cases of an unmapped vsyscall page and an x-only vsyscall
> > page. Differentiating between these two cases without relying on
> > /proc/$PID/maps would involve both checking the kernel command line
> > for vsyscall=xonly and having a special ifdef block for
> > CONFIG_VSYSCALL_XONLY, so accepting both as passing conditions seems
> > like a simpler solution.
> >
>
> It depends on the goal of the test. Is the test looking to see if the
> probe fails with insufficient permissions, then you are changing the
> test to not check for that condition.

The goal of the test is to validate the output of /proc/$PID/maps, and
the memory probe is only needed as setup to determine what the
expected output should be. This used to be sufficient, but now it can
no longer fully disambiguate it with the introduction of
vsyscall=xonly. The solution proposed here is to disambiguate it by
also checking the length read from /proc/$PID/maps.

>
> I would say in this case, the right approach would be to leave the test
> as is and report expected fail and add other cases.
>
> The goal being adding more coverage and not necessarily opt for a simple
> solution.

What does it mean to report a test as expected fail? Is this a
mechanism unique to kselftest? I agree adding another test case would
work, but I'm unsure how to do it within the framework of kselftest.
Ideally, there would be separate test cases for vsyscall=none,
vsyscall=emulate, and vsyscall=xonly, but these options can be toggled
both in the kernel config and on the kernel command line, meaning (to
the best of my knowledge) these test cases would have to be built
conditionally against the conflig options and also parse the command
line for the 'vsyscall' option.

Thanks,
Dylan

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ